Closed juvai closed 8 months ago
Fizcko
commented
1 year ago Hello,
The variables (read from Hashicorp Vault) are not stored.
They are available (during the pipeline execution) for been used by other tasks.
You can have more information here: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-variables-scripts?view=azure-devops&tabs=bash
juvai
commented
1 year ago I talking about secrets (credentials) that you are needed to login into Vault. The task of the extension requires a login method, depending on the method you used it requires a username and password, token, etc. So is it the only way to reach the Vault or the Service Connection will arrive in the future?
docbyte86
commented
1 year ago you can use azure pipeline library variables and store them as secrets. -> https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables?view=azure-devops&tabs=yaml%2Cbash
Example:
Create pipeline library variables called
VAULT_PATH VAULT_PW VAULT_USR VAULT_ADDR
and add the correct values. Mark VAULT_PW as secret and add the Variables to the execution like:
- task: VaultReadKV@4
inputs:
strUrl: '$(VAULT_ADDR)'
ignoreCertificateChecks: false
useProxy: 'none'
strAuthType: 'userpass'
strUsername: '$(VAULT_USR)'
strPassword: '$(VAULT_PW)'
strKVEnginePath: '$(VAULT_PATH)'
strSecretPath: '${{parameters.vaultSecretPath}}'
kvVersion: '${{parameters.vaultVersion}}'
strPrefixType: 'none'
replaceCR: false... and yes I also prefer to use a service connection. But this is a working work-around.
Fizcko
commented
8 months ago Hi @juvai,
I've just publish a new release 5.0.0 on the Azure DevOps marketplace.
This version include the ability to manage some credentials with a service connection.
Regards
Hello,
to store secrets in the pipeline are the only way? I don't think that this good approach to storing secrets in the pipeline. Or maybe is it a way to use some type of service connection?